From: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
To: Deepak Shetty <dpkshetty@gmail.com>,
"OpenStack Development Mailing List (not for usage questions)"
<openstack-dev@lists.openstack.org>
Cc: ceph-devel@vger.kernel.org
Subject: Re: [openstack-dev] [Manila] Ceph native driver for manila
Date: Wed, 04 Mar 2015 00:40:47 +0100 [thread overview]
Message-ID: <54F6467F.2000708@bisect.de> (raw)
In-Reply-To: <CAOXiiM=n6K7LjkB0pkDBj11ND7=UhAgioBZ2wgJOY90u79ZNkA@mail.gmail.com>
Am 03.03.2015 um 19:31 schrieb Deepak Shetty:
[...]
>> For us security is very critical, as the performance is too. The
>> first solution via ganesha is not what we prefer (to use CephFS
>> via p9 and NFS would not perform that well I guess). The second
>> solution, to use CephFS directly to the VM would be a bad
>> solution from the security point of view since we can't expose
>> the Ceph public network directly to the VMs to prevent all the
>> security issues we discussed already.
>>
>
> Is there any place the security issues are captured for the case
> where VMs access CephFS directly ?
No there isn't any place and this is the issue for us.
> I was curious to understand. IIUC Neutron provides private and
> public networks and for VMs to access external CephFS network, the
> tenant private network needs to be bridged/routed to the external
> provider network and there are ways neturon achives it.
>
> Are you saying that this approach of neutron is insecure ?
I don't say neutron itself is insecure.
The problem is: we don't want any VM to get access to the ceph public
network at all since this would mean access to all MON, OSDs and MDS
daemons.
If a tenant VM has access to the ceph public net, which is needed to
use/mount native cephfs in this VM, one critical issue would be: the
client can attack any ceph component via this network. Maybe I misses
something, but routing doesn't change this fact.
Danny
next prev parent reply other threads:[~2015-03-03 23:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-27 0:04 [Manila] Ceph native driver for manila Sage Weil
[not found] ` <alpine.DEB.2.00.1502261602390.23918-vIokxiIdD2AQNTJnQDzGJqxOck334EZe@public.gmane.org>
2015-03-01 14:07 ` Danny Al-Gaaf
2015-03-02 19:21 ` [openstack-dev] " Luis Pabon
[not found] ` <835936292.21191270.1425324075471.JavaMail.zimbra-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-03-03 18:31 ` Deepak Shetty
2015-03-03 23:40 ` Danny Al-Gaaf [this message]
[not found] ` <54F6467F.2000708-2YacvwyR+KOzQB+pC5nmwQ@public.gmane.org>
2015-03-04 4:19 ` Deepak Shetty
2015-03-04 14:05 ` [openstack-dev] " Danny Al-Gaaf
2015-03-04 14:12 ` Csaba Henk
[not found] ` <1011159141.22473140.1425478320272.JavaMail.zimbra-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-03-04 14:26 ` Danny Al-Gaaf
2015-03-04 15:03 ` [openstack-dev] " Csaba Henk
2015-03-04 17:56 ` Gregory Farnum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54F6467F.2000708@bisect.de \
--to=danny.al-gaaf@bisect.de \
--cc=ceph-devel@vger.kernel.org \
--cc=dpkshetty@gmail.com \
--cc=openstack-dev@lists.openstack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.